syzbot

 sign-in | mailing list | source | docs
🐞 Open [142] 🐞 Fixed [16] 🐞 Invalid [163] 📈 Kernel Health 📈 Bugs/Month 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: stack-out-of-bounds Read in xfrm_selector_match

Status: public: reported C repro on 2019/04/11 08:44
Reported-by: syzbot+c8463c5b3015c191734e@syzkaller.appspotmail.com
First crash: 2276d, last: 2045d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: stack-out-of-bounds Read in xfrm_selector_match C 672 2035d 2503d 0/3 closed as invalid on 2018/11/08 02:37
upstream KASAN: stack-out-of-bounds Read in xfrm_selector_match net 368 2333d 2339d 4/26 fixed on 2018/02/13 04:59
upstream KASAN: stack-out-of-bounds Read in xfrm_selector_match (2) net 1 1351d 1349d 15/26 fixed on 2020/11/16 12:12
android-414 KASAN: stack-out-of-bounds Read in xfrm_selector_match 1 1684d 1683d 0/1 auto-closed as invalid on 2020/02/19 14:26
android-49 KASAN: stack-out-of-bounds Read in xfrm_selector_match (2) C 13 1682d 1876d 0/3 public: reported C repro on 2019/04/13 00:00

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
random: sshd: uninitialized urandom read (32 bytes read, 34 bits of entropy available)
random: nonblocking pool is initialized
A link change request failed with some changes committed already. Interface teql0 may have been left with an inconsistent configuration, please check.
==================================================================
BUG: KASAN: stack-out-of-bounds in memcmp+0x126/0x160 lib/string.c:742
Read of size 1 at addr ffff8800b92078e0 by task syz-executor471/3708

CPU: 0 PID: 3708 Comm: syz-executor471 Not tainted 4.4.140-ged9bdc8 #68
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 c082ff154dcd4715 ffff8800b9207410 ffffffff81e0e08d
 ffffea0002e481c0 ffff8800b92078e0 0000000000000000 ffff8800b92078e0
 0000000000000000 ffff8800b9207448 ffffffff81515a56 ffff8800b92078e0
Call Trace:
 [<ffffffff81e0e08d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e0e08d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff81515a56>] print_address_description+0x6c/0x216 mm/kasan/report.c:252
 [<ffffffff81515d75>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff81515d75>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff814f9804>] __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:426
 [<ffffffff81e2a516>] memcmp+0x126/0x160 lib/string.c:742
 [<ffffffff833ce84d>] addr_match include/net/xfrm.h:837 [inline]
 [<ffffffff833ce84d>] __xfrm6_selector_match net/xfrm/xfrm_policy.c:81 [inline]
 [<ffffffff833ce84d>] xfrm_selector_match+0x12d/0xe50 net/xfrm/xfrm_policy.c:95
 [<ffffffff833cf6c1>] xfrm_sk_policy_lookup+0x151/0x350 net/xfrm/xfrm_policy.c:1241
 [<ffffffff833d2455>] xfrm_lookup+0x1b5/0xb70 net/xfrm/xfrm_policy.c:2189
 [<ffffffff833d3d29>] xfrm_lookup_route+0x39/0x1b0 net/xfrm/xfrm_policy.c:2323
 [<ffffffff83428b77>] ip6_dst_lookup_flow+0x1b7/0x2f0 net/ipv6/ip6_output.c:1072
 [<ffffffff834cd5f8>] tcp_v6_connect+0xd58/0x1b70 net/ipv6/tcp_ipv6.c:249
 [<ffffffff832f9a79>] __inet_stream_connect+0x2a9/0xc30 net/ipv4/af_inet.c:615
 [<ffffffff83249740>] tcp_sendmsg_fastopen net/ipv4/tcp.c:1092 [inline]
 [<ffffffff83249740>] tcp_sendmsg+0x1600/0x2b00 net/ipv4/tcp.c:1112
 [<ffffffff83300cc3>] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755
 [<ffffffff82f1deac>] sock_sendmsg_nosec net/socket.c:625 [inline]
 [<ffffffff82f1deac>] sock_sendmsg+0xcc/0x110 net/socket.c:635
 [<ffffffff82f1eb8c>] SYSC_sendto+0x21c/0x370 net/socket.c:1665
 [<ffffffff82f21210>] SyS_sendto+0x40/0x50 net/socket.c:1633
 [<ffffffff838c27a5>] entry_SYSCALL_64_fastpath+0x22/0x9e

The buggy address belongs to the page:
page:ffffea0002e481c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000000()
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8800b9207780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8800b9207800: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2
>ffff8800b9207880: f2 f2 00 00 00 00 00 00 00 00 00 00 f2 f2 00 00
                                                       ^
 ffff8800b9207900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8800b9207980: 00 00 00 f1 f1 f1 f1 00 00 00 00 00 f2 f2 f2 00
==================================================================

Crashes (36):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/17 02:33 https://android.googlesource.com/kernel/common android-4.4 ed9bdc8a8fc5 40cb0c9a .config console log report syz C ci-android-44-kasan-gce
2018/04/10 13:37 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 8e873e9d .config console log report syz C ci-android-44-kasan-gce
2018/04/10 13:24 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 8e873e9d .config console log report syz ci-android-44-kasan-gce-386
2018/10/25 21:29 https://android.googlesource.com/kernel/common android-4.4 c4b00eb70496 a8292de9 .config console log report ci-android-44-kasan-gce
2018/10/22 08:57 https://android.googlesource.com/kernel/common android-4.4 3eb8e7351955 ecb386fe .config console log report ci-android-44-kasan-gce
2018/10/10 09:45 https://android.googlesource.com/kernel/common android-4.4 ea3a6005d280 8b311eaf .config console log report ci-android-44-kasan-gce
2018/10/06 15:02 https://android.googlesource.com/kernel/common android-4.4 ea3a6005d280 8b311eaf .config console log report ci-android-44-kasan-gce
2018/08/26 14:03 https://android.googlesource.com/kernel/common android-4.4 e5c5f1fae55d 758cd203 .config console log report ci-android-44-kasan-gce
2018/08/18 12:18 https://android.googlesource.com/kernel/common android-4.4 f76bdbdd516d db1858f6 .config console log report ci-android-44-kasan-gce
2018/08/11 05:20 https://android.googlesource.com/kernel/common android-4.4 a5fc66599b61 7a88b141 .config console log report ci-android-44-kasan-gce
2018/08/03 08:18 https://android.googlesource.com/kernel/common android-4.4 2241aa98c9aa 5b7e23bb .config console log report ci-android-44-kasan-gce
2018/07/31 06:42 https://android.googlesource.com/kernel/common android-4.4 8ddb600e033f 1a381291 .config console log report ci-android-44-kasan-gce
2018/07/23 22:09 https://android.googlesource.com/kernel/common android-4.4 1b37d68f4c82 912c93d7 .config console log report ci-android-44-kasan-gce
2018/07/15 13:40 https://android.googlesource.com/kernel/common android-4.4 ed9bdc8a8fc5 92a49505 .config console log report ci-android-44-kasan-gce
2018/06/30 19:59 https://android.googlesource.com/kernel/common android-4.4 cf21a9ac5ee4 dba0b50e .config console log report ci-android-44-kasan-gce
2018/06/29 00:28 https://android.googlesource.com/kernel/common android-4.4 cf21a9ac5ee4 dba0b50e .config console log report ci-android-44-kasan-gce
2018/06/28 15:21 https://android.googlesource.com/kernel/common android-4.4 cf21a9ac5ee4 dba0b50e .config console log report ci-android-44-kasan-gce
2018/06/24 07:24 https://android.googlesource.com/kernel/common android-4.4 226f96b03dc2 2064fc5c .config console log report ci-android-44-kasan-gce
2018/06/24 01:05 https://android.googlesource.com/kernel/common android-4.4 226f96b03dc2 2064fc5c .config console log report ci-android-44-kasan-gce
2018/06/19 18:33 https://android.googlesource.com/kernel/common android-4.4 226f96b03dc2 732e4256 .config console log report ci-android-44-kasan-gce
2018/06/19 16:42 https://android.googlesource.com/kernel/common android-4.4 226f96b03dc2 732e4256 .config console log report ci-android-44-kasan-gce
2018/06/08 09:11 https://android.googlesource.com/kernel/common android-4.4 fb7e31963455 f7b27b7a .config console log report ci-android-44-kasan-gce
2018/06/06 11:30 https://android.googlesource.com/kernel/common android-4.4 7e3a6fc48335 41f9540d .config console log report ci-android-44-kasan-gce
2018/05/29 15:49 https://android.googlesource.com/kernel/common android-4.4 3f51ea2db97d e276de77 .config console log report ci-android-44-kasan-gce
2018/05/18 19:43 https://android.googlesource.com/kernel/common android-4.4 46155cc7bd1b 849705db .config console log report ci-android-44-kasan-gce
2018/05/17 09:36 https://android.googlesource.com/kernel/common android-4.4 46155cc7bd1b a367c1d7 .config console log report ci-android-44-kasan-gce
2018/05/17 08:08 https://android.googlesource.com/kernel/common android-4.4 46155cc7bd1b a367c1d7 .config console log report ci-android-44-kasan-gce
2018/05/13 11:59 https://android.googlesource.com/kernel/common android-4.4 aa3863d27614 c05b619d .config console log report ci-android-44-kasan-gce
2018/05/10 21:36 https://android.googlesource.com/kernel/common android-4.4 3702e76fb6e9 12c7428a .config console log report ci-android-44-kasan-gce
2018/05/10 03:15 https://android.googlesource.com/kernel/common android-4.4 033c952f2e7d 12c7428a .config console log report ci-android-44-kasan-gce
2018/05/08 00:43 https://android.googlesource.com/kernel/common android-4.4 fcce57111718 9e0846e8 .config console log report ci-android-44-kasan-gce
2018/05/04 07:39 https://android.googlesource.com/kernel/common android-4.4 1fe7e9202e52 9ce14f4b .config console log report ci-android-44-kasan-gce
2018/03/08 22:32 https://android.googlesource.com/kernel/common android-4.4 d63fdf61a4dc acd0caa5 .config console log report ci-android-44-kasan-gce
2018/04/19 07:23 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 829f0234 .config console log report ci-android-44-kasan-gce-386
2018/04/18 12:20 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 52643b44 .config console log report ci-android-44-kasan-gce-386
2018/04/10 12:36 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 8e873e9d .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.